How cyber crime can wreak havoc on your business

spear phish·ing

noun: the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.

As a leader, it’s hard to admit poor judgment and corporate weakness. But here I am, confessing that we fell victim to a “spear phishing” scam resulting in a $50,000 loss to our company, despite having IT security measures and staff training in place. 

In November 2016, I received a panicked call from our finance team asking why I needed “another $18,500.” I responded that I did not ask for such funds and was unaware of any previous financial requests.

“Didn’t you request money last week to be wired as emergency payment to a vendor in Alabama?” asked our controller.

Confused, I responded, “I made no requests and we don’t have vendors in Alabama.” 

Instantly, we launched into a roller-coaster ride through a complicated world of cyber crime.

Here’s the story: Someone trolled my social media pages. Through careful “social engineering,” they probably tracked my family connections, my friends and knew my employees and our company organizational chart. This person then created an email address identical to my real business email except for one additional character buried in the middle. They copied my signature block and sent a wire request to our head of finance. It appeared official and our controller responded.

A week later, the fake “me” was back asking for more money. The controller pushed back, but once again wired the money, trying to avoid conflict. I was not in the office, and the controller did not try to reach me in person until after the second wire was sent.

Our VP of operations and the controller finally called me with concerns about these unplanned financial needs. The gravity of what happened hit us and revealed significant weaknesses in our cyber security and financial controls as well as our communication and trust.

We filed a police report and worked with the Colorado Springs Police Department to track the wires to an unsuspecting individual in Alabama. The woman at the other end of the wire had recently met a new boyfriend online, and she was allowing him to use her checking account for deposits because “he was a soldier in Iraq and didn’t have a place to deposit money.” The “boyfriend” convinced her to wire the funds to “needy family.” The police report indicates she was shocked at the truth of the situation.

Because we have cybertheft insurance, a claim was filed and the financial loss was thankfully minimal in the end. Often thefts like this can be much worse. Because our theft happened across multiple counties, state lines and possibly countries, there are few cyber laws that apply. Our bad guy was never caught and the case was closed.

The Department of Homeland Security says that 44 percent of small businesses report cyber attacks and more than half don’t have any response plan to data hacks. Of all cyber crimes, spear phishing is among the most sophisticated, yet simple. The criminal doesn’t need the brains to create a malicious code to destroy a network or a business; they just have to know who you are, how you communicate and where you are vulnerable.

Spear phishers target people with something in common: workplace, bank, shopping habits, etc. They send authentic looking e-mails with urgent and legitimate needs for action or personal data. The emails come from “individuals” that you would expect to hear from, making them highly deceptive and hard to discern. In our case, the criminal banked on the CEO/controller relationship, and we relied on email far more than in-person communication or phone calls.

After this experience, our organization went through significant analysis to account for the breakdown in security, controls and communication. In the end, our controller resigned, we’ve implemented strict email filters, password requirements and internal financial security controls with layered requirements requiring in-person discussions.

Cyber law enforcement is an exploding industry in response to the number and price tag of malicious activities. The FBI handles cyber investigations with other law enforcement partners, including the U.S. Secret Service, the Department of Defense and individual state and local law enforcement units. Well-funded private security companies, think tanks, software bundles and more are also now entering the mix.

In the last year, companies from the size of ours to millions of patient accounts with Anthem Inc. and even the U.S. Military’s Central Command social media accounts were hacked. It can happen to any business. Here is what the FBI along with Navakai, a Colorado based IT Security company recommends you do to help prevent cyber crime:

• Always call to confirm when someone or an organization is asking for personal information and don’t use the phone number in the email, as that may be fake as well.
• Use a phishing filter.
• Never follow a link to a secure site from e-mail.
• Keep your software/firmware up-to-date as well as your awareness of news and trends in cyber security.
• Use a password manager.
• Don’t connect accounts.
• Create unique passwords with letters, symbols and numbers. Change it often.
• Use two-factor authentication.
• Use encrypted versions of a website (https).
• Keep your browsing history private/secret.

Erin Gibbs is Founder and CEO of  American Vein & Vascular Institute Practice Management, an award winning, family-owned and managed company that oversees the American Vein & Vascular network of vein and arterial clinics.  The company began as Rocky Mountain Vein Institute in 2009. Erin Gibbs can be reached directly at [email protected] or 719.543.8346. Visit www.americanvein.com for more information.